Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Details Emerge on Latest Adobe Flash Zero-Day Exploit

Researchers at Kaspersky Lab said the exploit for the latest Adobe Flash zero day is a password-grabbing Trojan targeting users in China.

Exploits for a newly reported zero-day vulnerability in Adobe’s Flash Player drop a password-grabbing Trojan that targets the email and social media accounts of users and organizations in China, researchers at Kaspersky Lab said today.

The attacks appear to be an isolated campaign and there is no connection between these exploits and a new advanced espionage campaign called The Mask that Kaspersky researchers are expected to unveil next week at the company’s Security Analyst Summit.

Adobe issued an emergency patch for the zero-day yesterday; CVE-2014-0497 allows an exploit to remotely inject code and control the underlying system hosting the vulnerable software. Flash Player 12.0.0.43 and earlier on Windows and Mac systems are affected as is version 11.2.202.335 on Linux.

Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov reported the bug to Adobe after finding a set of new .swf exploits, said Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky Lab.

Once the OS check is done, the malware assembles a return-oriented programming (ROP) chain depending on the version of Windows and Flash that is installed. Shellcode specific to the OS version is then generated and the exploit executes, Zakorzhevsky said.

It appears the attacks start with phishing emails in which the victims are sent infected .docx documents that contain an embedded Flash video, Zakorzhevsky said.

“When a document is opened, an embedded flash exploit drops and starts an easy downloader to the disk, which downloads a fully featured backdoor and а Trojan,” Zakorzhevsky said. “Afterwards, the program steals passwords from popular email clients and grabs logins and passwords from Web forms of popular social media and email services.”

Kaspersky could not confirm whether these were targeted attacks, but it is likely. The malicious .docx and Flash files have titles written in Korean and were found on three computers, one in an email attachment opened on a Mac OS X machine, and two in the browser cache of a Windows 7 machine, likely also after the victim opened an email. The browser used on the Windows machine was Chinese, SogouExplorer, and the Mac mailbox was hosted on 163[.]com, a Chinese web-based email provider.

Researchers were able to find only one exploit containing executable files, a downloader, Trojan-Downloader.Win32.Agent.hdzh, encrypted with Microsoft CryptoAPI and hosted on a free hosting service bugs3[.]com. The executables included password stealers for email clients and social media sites including Google, Yahoo, Twitter, Facebook and many others. The backdoor, Backdoor.Win32.Agent.dfdq, connects to one of three command and control servers: sales[.]eu5[.]org; www[.]mobilitysvc[.]com; and javaupdate[.]flashserve[.]net.

Zakorzhevsky said the campaign is ongoing and that researchers have not been able to view documents being sent to the command and control server. Zakorzhevsky said this is likely an isolated campaign and Kaspersky Lab researchers have not been able to link of the malicious Word or Flash files to an existing botnet.

There is also no link to the Mask campaign, researchers said. A post on the Securelist blog this week said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.

“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.

Adobe, meanwhile, urges its customers to update Flash immediately because of the active exploits. A complete rundown of updates in the Adobe advisory:

Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.44.

Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.336.

Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.44 for Windows, Macintosh and Linux.

Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.0.

Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.